From 69b2ebbf7fa429a5a3b2aba086b3a5a1a0082461 Mon Sep 17 00:00:00 2001 From: Thomas Krampl Date: Fri, 17 Apr 2026 11:25:30 +0200 Subject: [PATCH 1/3] Add console-backend-rbac Helm chart and update chart structure - Add charts/console-backend-rbac with RBAC resources for console-backend - Move nais-api chart to charts/nais-api - Update workflows and scripts to support multiple charts - Update lint and build steps for new chart layout --- .../workflows/console-backend-rbac-chart.yaml | 69 +++++ .github/workflows/main.yaml | 8 +- .mise-tasks/check/helm-lint | 2 +- charts/console-backend-rbac/.helmignore | 23 ++ charts/console-backend-rbac/Chart.yaml | 7 + charts/console-backend-rbac/Feature.yaml | 8 + .../console-backend-rbac/templates/rbac.yaml | 292 ++++++++++++++++++ charts/console-backend-rbac/values.yaml | 5 + charts/{ => nais-api}/Chart.yaml | 2 +- charts/{ => nais-api}/Feature.yaml | 0 .../{ => nais-api}/templates/deployment.yaml | 0 .../{ => nais-api}/templates/fqdnnetpol.yaml | 0 charts/{ => nais-api}/templates/ingress.yaml | 0 .../{ => nais-api}/templates/lease-role.yaml | 0 .../templates/lease-rolebinding.yaml | 0 .../templates/networkpolicy.yaml | 0 .../{ => nais-api}/templates/podmonitor.yaml | 0 .../templates/prometheusrule.yaml | 0 charts/{ => nais-api}/templates/secret.yaml | 0 charts/{ => nais-api}/templates/service.yaml | 0 .../templates/serviceaccount.yaml | 0 .../templates/unleash-clusterrole.yaml | 0 .../templates/unleash-clusterrolebinding.yaml | 0 charts/{ => nais-api}/values.yaml | 0 24 files changed, 410 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/console-backend-rbac-chart.yaml create mode 100644 charts/console-backend-rbac/.helmignore create mode 100644 charts/console-backend-rbac/Chart.yaml create mode 100644 charts/console-backend-rbac/Feature.yaml create mode 100644 charts/console-backend-rbac/templates/rbac.yaml create mode 100644 charts/console-backend-rbac/values.yaml rename charts/{ => nais-api}/Chart.yaml (65%) rename charts/{ => nais-api}/Feature.yaml (100%) rename charts/{ => nais-api}/templates/deployment.yaml (100%) rename charts/{ => nais-api}/templates/fqdnnetpol.yaml (100%) rename charts/{ => nais-api}/templates/ingress.yaml (100%) rename charts/{ => nais-api}/templates/lease-role.yaml (100%) rename charts/{ => nais-api}/templates/lease-rolebinding.yaml (100%) rename charts/{ => nais-api}/templates/networkpolicy.yaml (100%) rename charts/{ => nais-api}/templates/podmonitor.yaml (100%) rename charts/{ => nais-api}/templates/prometheusrule.yaml (100%) rename charts/{ => nais-api}/templates/secret.yaml (100%) rename charts/{ => nais-api}/templates/service.yaml (100%) rename charts/{ => nais-api}/templates/serviceaccount.yaml (100%) rename charts/{ => nais-api}/templates/unleash-clusterrole.yaml (100%) rename charts/{ => nais-api}/templates/unleash-clusterrolebinding.yaml (100%) rename charts/{ => nais-api}/values.yaml (100%) diff --git a/.github/workflows/console-backend-rbac-chart.yaml b/.github/workflows/console-backend-rbac-chart.yaml new file mode 100644 index 000000000..e48f065ef --- /dev/null +++ b/.github/workflows/console-backend-rbac-chart.yaml @@ -0,0 +1,69 @@ +name: Build and push chart console-backend-rbac +on: + push: + branches: + - main + paths: + - charts/console-backend-rbac/** + - .github/workflows/console-backend-rbac-chart.yaml + +env: + NAME: console-backend-rbac + IMAGE_REPOSITORY: oci://europe-north1-docker.pkg.dev/nais-io/nais + +jobs: + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - uses: jdx/mise-action@v4 + - run: helm lint --strict charts/console-backend-rbac + + build_push: + needs: + - lint + permissions: + contents: read + id-token: write + if: github.triggering_actor != 'dependabot[bot]' + name: Build and push + runs-on: ubuntu-latest + outputs: + version: ${{ steps.version.outputs.version }} + steps: + - uses: actions/checkout@v6 + - uses: jdx/mise-action@v4 + - name: Generate version + id: version + run: echo "version=$(TZ='Europe/Oslo' date +'%Y-%m-%d-%H%M%S')-$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@v3 + with: + workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }} + service_account: gh-api@nais-io.iam.gserviceaccount.com + token_format: access_token + - name: Login to Google Artifact Registry + run: echo "${{ steps.auth.outputs.access_token }}" | helm registry login europe-north1-docker.pkg.dev --username oauth2accesstoken --password-stdin + - name: Build Chart + run: |- + sed -i "s/^version: .*/version: ${{ steps.version.outputs.version }}/g" charts/console-backend-rbac/Chart.yaml + cat charts/console-backend-rbac/Chart.yaml + helm package charts/console-backend-rbac + - name: Push Chart + run: helm push ${{ env.NAME }}*.tgz ${{ env.IMAGE_REPOSITORY }} + + rollout: + needs: + - lint + - build_push + runs-on: fasit-deploy + if: github.ref == 'refs/heads/main' + permissions: + id-token: write + steps: + - uses: nais/fasit-deploy@v2 # ratchet:exclude + with: + chart: ${{ env.IMAGE_REPOSITORY }}/${{ env.NAME }} + version: ${{ needs.build_push.outputs.version }} diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index f919cd94e..65e92240f 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -36,7 +36,7 @@ jobs: with: key: lint restore-keys: test - - run: helm lint --strict ./charts + - run: helm lint --strict ./charts/* - run: mise run check:staticcheck - run: mise run check:vulncheck - name: Check code format and run code generators @@ -74,9 +74,9 @@ jobs: push: true - name: Build Chart run: |- - sed -i "s/^version: .*/version: ${{ steps.build-push-sign.outputs.version }}/g" charts/Chart.yaml - cat charts/Chart.yaml - helm package charts + sed -i "s/^version: .*/version: ${{ steps.build-push-sign.outputs.version }}/g" charts/nais-api/Chart.yaml + cat charts/nais-api/Chart.yaml + helm package charts/nais-api - name: Push Chart run: |- helm push ${{ env.NAME }}*.tgz ${{ env.IMAGE_REPOSITORY }} diff --git a/.mise-tasks/check/helm-lint b/.mise-tasks/check/helm-lint index c27c40b32..a56d5123b 100755 --- a/.mise-tasks/check/helm-lint +++ b/.mise-tasks/check/helm-lint @@ -3,4 +3,4 @@ set -e -helm lint --strict ./charts +helm lint --strict ./charts/* diff --git a/charts/console-backend-rbac/.helmignore b/charts/console-backend-rbac/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/console-backend-rbac/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/console-backend-rbac/Chart.yaml b/charts/console-backend-rbac/Chart.yaml new file mode 100644 index 000000000..df7e20b5d --- /dev/null +++ b/charts/console-backend-rbac/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: console-backend-rbac +description: ClusterRole and ClusterRoleBinding for console-backend +type: application +version: 0.1.1 +sources: + - https://github.com/nais/api/tree/main/charts/console-backend-rbac diff --git a/charts/console-backend-rbac/Feature.yaml b/charts/console-backend-rbac/Feature.yaml new file mode 100644 index 000000000..1896e6f7d --- /dev/null +++ b/charts/console-backend-rbac/Feature.yaml @@ -0,0 +1,8 @@ +environmentKinds: + - tenant + - onprem +values: + managementProjectID: + displayName: Management Project ID + computed: + template: "{{ .Management.project_id }}" diff --git a/charts/console-backend-rbac/templates/rbac.yaml b/charts/console-backend-rbac/templates/rbac.yaml new file mode 100644 index 000000000..36d734bf2 --- /dev/null +++ b/charts/console-backend-rbac/templates/rbac.yaml @@ -0,0 +1,292 @@ +{{- if eq .Values.fasit.env.kind "tenant" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: "{{ .Release.Name }}" +rules: + - apiGroups: + - "" + resources: + - pods + - pods/log + - configmaps + verbs: + - list + - get + - watch + - apiGroups: + - "apps" + resources: + - replicasets + verbs: + - list + - get + - watch + - apiGroups: + - "" + resources: + - users + - groups + - serviceaccounts + verbs: + - impersonate + - apiGroups: + - sql.cnrm.cloud.google.com + resources: + - sqlinstances + - sqldatabases + verbs: + - list + - watch + # These (and most other resources) are already granted through the GKE IAM roles (roles/container.viewer) + - apiGroups: + - aiven.io + resources: + - opensearches + - valkeys + verbs: + - list + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - get + - list + - watch + - update + - patch + - create + # Elevation: nais-api must hold the permissions it grants to users + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - pods/exec + - pods/portforward + verbs: + - create + - apiGroups: + - "" + resources: + - pods/ephemeralcontainers + verbs: + - patch + - apiGroups: + - "nais.io" + resources: + - valkeys + - opensearches + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "aiven.nais.io" + resources: + - aivenapplications + verbs: + - get + - create + - update + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: "{{ .Release.Name }}" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "{{ .Release.Name }}" +subjects: + - kind: User + name: "console-backend@{{ .Values.managementProjectID }}.iam.gserviceaccount.com" + - kind: User + name: "nais-api@{{ .Values.managementProjectID }}.iam.gserviceaccount.com" +{{- end }} + +{{- if eq .Values.fasit.env.kind "onprem" }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: console-backend + namespace: nais-system +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nais-api + namespace: nais-system +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: "{{ .Release.Name }}" +rules: + - apiGroups: + - "" + resources: + - namespaces + - configmaps + - pods + - pods/log + verbs: + - list + - get + - watch + - apiGroups: + - "apps" + resources: + - replicasets + verbs: + - list + - get + - watch + - apiGroups: + - "batch" + resources: + - jobs + verbs: + - get + - list + - watch + - apiGroups: + - "kafka.nais.io" + resources: + - topics + - streams + verbs: + - get + - list + - watch + - apiGroups: + - "nais.io" + resources: + - naisjobs + - applications + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - users + - groups + - serviceaccounts + verbs: + - impersonate + - apiGroups: + - unleash.nais.io + resources: + - remoteunleashes + verbs: + - "*" + - apiGroups: + - "networking.k8s.io" + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "google.nais.io" + resources: + - bigquerydatasets + verbs: + - get + - list + - watch + - apiGroups: + - "events.k8s.io" + resources: + - events + verbs: + - get + - list + - watch + - apiGroups: + - "data.nais.io" + resources: + - postgres + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - get + - list + - watch + - create + - update + - delete +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Release.Name }} +subjects: + - kind: ServiceAccount + name: console-backend + namespace: nais-system + - kind: ServiceAccount + name: nais-api + namespace: nais-system +--- +kind: Secret +apiVersion: v1 +metadata: + name: console-backend + namespace: nais-system + annotations: + "kubernetes.io/service-account.name": console-backend +type: kubernetes.io/service-account-token +--- +kind: Secret +apiVersion: v1 +metadata: + name: nais-api + namespace: nais-system + annotations: + "kubernetes.io/service-account.name": nais-api +type: kubernetes.io/service-account-token +{{- end }} diff --git a/charts/console-backend-rbac/values.yaml b/charts/console-backend-rbac/values.yaml new file mode 100644 index 000000000..30b57aa27 --- /dev/null +++ b/charts/console-backend-rbac/values.yaml @@ -0,0 +1,5 @@ +fasit: + env: + kind: "" + +managementProjectID: "" diff --git a/charts/Chart.yaml b/charts/nais-api/Chart.yaml similarity index 65% rename from charts/Chart.yaml rename to charts/nais-api/Chart.yaml index 7707b162a..e1c47930e 100644 --- a/charts/Chart.yaml +++ b/charts/nais-api/Chart.yaml @@ -4,4 +4,4 @@ description: The all mighty Nais API type: application version: 1.0.0 sources: - - https://github.com/nais/api/tree/main/charts + - https://github.com/nais/api/tree/main/charts/nais-api diff --git a/charts/Feature.yaml b/charts/nais-api/Feature.yaml similarity index 100% rename from charts/Feature.yaml rename to charts/nais-api/Feature.yaml diff --git a/charts/templates/deployment.yaml b/charts/nais-api/templates/deployment.yaml similarity index 100% rename from charts/templates/deployment.yaml rename to charts/nais-api/templates/deployment.yaml diff --git a/charts/templates/fqdnnetpol.yaml b/charts/nais-api/templates/fqdnnetpol.yaml similarity index 100% rename from charts/templates/fqdnnetpol.yaml rename to charts/nais-api/templates/fqdnnetpol.yaml diff --git a/charts/templates/ingress.yaml b/charts/nais-api/templates/ingress.yaml similarity index 100% rename from charts/templates/ingress.yaml rename to charts/nais-api/templates/ingress.yaml diff --git a/charts/templates/lease-role.yaml b/charts/nais-api/templates/lease-role.yaml similarity index 100% rename from charts/templates/lease-role.yaml rename to charts/nais-api/templates/lease-role.yaml diff --git a/charts/templates/lease-rolebinding.yaml b/charts/nais-api/templates/lease-rolebinding.yaml similarity index 100% rename from charts/templates/lease-rolebinding.yaml rename to charts/nais-api/templates/lease-rolebinding.yaml diff --git a/charts/templates/networkpolicy.yaml b/charts/nais-api/templates/networkpolicy.yaml similarity index 100% rename from charts/templates/networkpolicy.yaml rename to charts/nais-api/templates/networkpolicy.yaml diff --git a/charts/templates/podmonitor.yaml b/charts/nais-api/templates/podmonitor.yaml similarity index 100% rename from charts/templates/podmonitor.yaml rename to charts/nais-api/templates/podmonitor.yaml diff --git a/charts/templates/prometheusrule.yaml b/charts/nais-api/templates/prometheusrule.yaml similarity index 100% rename from charts/templates/prometheusrule.yaml rename to charts/nais-api/templates/prometheusrule.yaml diff --git a/charts/templates/secret.yaml b/charts/nais-api/templates/secret.yaml similarity index 100% rename from charts/templates/secret.yaml rename to charts/nais-api/templates/secret.yaml diff --git a/charts/templates/service.yaml b/charts/nais-api/templates/service.yaml similarity index 100% rename from charts/templates/service.yaml rename to charts/nais-api/templates/service.yaml diff --git a/charts/templates/serviceaccount.yaml b/charts/nais-api/templates/serviceaccount.yaml similarity index 100% rename from charts/templates/serviceaccount.yaml rename to charts/nais-api/templates/serviceaccount.yaml diff --git a/charts/templates/unleash-clusterrole.yaml b/charts/nais-api/templates/unleash-clusterrole.yaml similarity index 100% rename from charts/templates/unleash-clusterrole.yaml rename to charts/nais-api/templates/unleash-clusterrole.yaml diff --git a/charts/templates/unleash-clusterrolebinding.yaml b/charts/nais-api/templates/unleash-clusterrolebinding.yaml similarity index 100% rename from charts/templates/unleash-clusterrolebinding.yaml rename to charts/nais-api/templates/unleash-clusterrolebinding.yaml diff --git a/charts/values.yaml b/charts/nais-api/values.yaml similarity index 100% rename from charts/values.yaml rename to charts/nais-api/values.yaml From 256fda7145e6c4dcf4324b797afc0f252ef2c577 Mon Sep 17 00:00:00 2001 From: Thomas Krampl Date: Fri, 17 Apr 2026 11:27:56 +0200 Subject: [PATCH 2/3] Set permission for github token --- .github/workflows/console-backend-rbac-chart.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/console-backend-rbac-chart.yaml b/.github/workflows/console-backend-rbac-chart.yaml index e48f065ef..4bff3cc80 100644 --- a/.github/workflows/console-backend-rbac-chart.yaml +++ b/.github/workflows/console-backend-rbac-chart.yaml @@ -14,6 +14,8 @@ env: jobs: lint: name: Lint + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 From bb38df46901ad760b8c48bec036e6cad4c9438fb Mon Sep 17 00:00:00 2001 From: Thomas Krampl Date: Fri, 17 Apr 2026 11:33:30 +0200 Subject: [PATCH 3/3] Move permission to root --- .github/workflows/console-backend-rbac-chart.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/console-backend-rbac-chart.yaml b/.github/workflows/console-backend-rbac-chart.yaml index 4bff3cc80..48c54cd50 100644 --- a/.github/workflows/console-backend-rbac-chart.yaml +++ b/.github/workflows/console-backend-rbac-chart.yaml @@ -7,6 +7,9 @@ on: - charts/console-backend-rbac/** - .github/workflows/console-backend-rbac-chart.yaml +permissions: + contents: read + env: NAME: console-backend-rbac IMAGE_REPOSITORY: oci://europe-north1-docker.pkg.dev/nais-io/nais @@ -14,8 +17,6 @@ env: jobs: lint: name: Lint - permissions: - contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@v6